A Brief History of the Password Problem, Part 4: Worst Passwords of 2014

The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.
Los Gatos, CA – January 20, 2015 – SplashData has announced its annual list of the 25 most common passwords found on the Internet – thus making them the “Worst Passwords” that will expose anybody to being hacked or having their identities stolen. In its fourth annual report, compiled from more than 3.3 million leaked passwords during the year, “123456”and “password” continue to hold the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include “qwerty,” “dragon,” and “football.”

As in past years’ lists, simple numerical passwords remain common, with nine of the top 25 passwords on the 2014 list comprised of numbers only.

Passwords appearing for the first time on SplashData’s list include “696969” and “batman.”

While Valentine’s Day is less than a month away, “iloveyou” is one of the nine passwords from 2013 to fall off the 2014 list.

According to SplashData, the passwords evaluated for the 2014 list were mostly held by users in North America and Western Europe. In 2014, millions of passwords from Russian accounts were also leaked, but these passwords were not included in the analysis.

SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are,” said Morgan Slain, CEO of SplashData. “Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure.”

For example, users should avoid a sequence such as “qwertyuiop,” which is the top row of letters on a standard keyboard, or “1qaz2wsx” which comprises the first two ‘columns’ of numbers and letters on a keyboard.

Other tips from a review of this year’s Worst Passwords List include:

– Don’t use a favorite sport as your password – “baseball” and “football” are in top 10, and “hockey,” “soccer” and “golfer” are in the top 100. Don’t use a favorite team either, as “yankees,” “eagles,” “steelers,” “rangers,” and “lakers” are all in the top 100.

–
Don’t use your birthday or especially just your birth year — 1989, 1990, 1991, and 1992 are all in the top 100.
While baby name books are popular for naming children, don’t use them as sources for picking passwords. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50.

Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.
This is the first year that SplashData has collaborated on the list with Mark Burnett, online security expert and author of “Perfect Passwords” (http://www.xato.net).

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” Burnett said. “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

SplashData, provider of the SplashID line of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords. Slain says, “As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

Presenting SplashData’s “Worst Passwords of 2014”:

Rank

Password

Change from 2013

1

123456

No Change

2

password

No Change

3

12345

Up 17

4

12345678

Down 1

5

qwerty

Down 1

6

123456789

No Change

7

1234

Up 9

8

baseball

New

9

dragon

New

10

football

New

11

1234567

Down 4

12

monkey

Up 5

13

letmein

Up 1

14

abc123

Down 9

15

111111

Down 8

16

mustang

New

17

access

New

18

shadow

Unchanged

19

master

New

20

michael

New

21

superman

New

22

696969

New

23

123123

Down 12

24

batman

New

25

trustno1

Down 1

SplashData offers three simple tips to be safer from hackers online:

1. Use passwords of eight characters or more with mixed types of characters.
2. Avoid using the same username/password combination for multiple websites.
3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.

About SplashData, Inc.

SplashData has been a leading provider of password management applications for over 10 years. SplashID Safe (www.splashid.com) has grown to be most trusted multi-platform password solution for both the consumer and enterprise markets with over 1 million users worldwide. SplashID Safe’s popularity continues to rise as the number of user names, passwords, and account numbers most people have to remember is rapidly multiplying. At the same time, the risk of this kind of sensitive information falling into the wrong hands has never been greater. SplashID Safe helps solve this dilemma by creating an encrypted digital safe available on smartphones, computers, USB keys, or online, offering the peace of mind of being able to access critical information whenever needed while maintaining the security of 256-bit encryption. SplashData was founded in 2000 and is based in Los Gatos, CA.

Share this article

40 Comments on "A Brief History of the Password Problem, Part 4: Worst Passwords of 2014"

Will

Whenever I read articles like this I think of the scene in the movie Spaceballs when the King reveals his password is 12345, and Mel Brooks notes how that's the same password on his briefcase. I always use gibberish as my password.

That's a great scene! Gibberish is good for passwords, just hard to remember. And what's gibberish to you may not in fact be random or hard to crack. So we recommend using the automatic password generator in a product like TeamsID to create truly random passwords that are extremely difficult to guess.

I have three or four random password I developed, using sites that generate them. I pick ones I can remember. Then I use each for a different site, but... change the beginning and/or end of it, such with a tag to make it unique to that site. For example, for a gmail account, I might put my username (in whole or in part) on it. Sometimes in caps, sometimes in lower case; sometimes both, at the beginning and/or end. Mix and match. You do have to remember a little; can't be all brain dead. But just in case, I keep an Excel spreadsheet with all of my passwords for my various sites on it, and other relevant information (answers to personal questions, and the like). Works for me.

Jimmy

robert

12345 is the best password . Only gay geek need some password they will never remember - the other 99.99% population are sick and tired of from the sites that will not allow you any password you want . likw if I want all my passwords to be 123 ? what is your prblem ? do you save your money in my account ? mind your own business . it is so annoying when sites will not let you easy to remember pasword and than you go through the reset procedure . like an ass . every one should decide for himself - Geeks should keep the A_ryU&6Gfdg$ passwords . and we should be left alone keep the 123. I also don't lock my door in car and house - Do you want to make me do it ?

Craig

I forcibly prevent my little kids from burning their hand on the stove. One day they will be smart enough to make that decision on their own. You think you're smart enough to decide--but only someone who doesn't understand identity theft ignores password security, so you're not.

lairdtschonnie

I find the easiest way to remember a password is to use, say, the word JIBBERISH - but in such a form that it isn't actually "jiberish" - for instance
J!883r!5H. With the . at the end, you have just created a password that's easy to remember but also complies with just about every security guideline - ie, at least ten letters, numbers, capitals, lower case and symbols.